The AzureAD side of things appears to be working and confirms successful login. However once the login process hands off to Canvas, we get the error message "No such account for user username@domain". The usernames we are using for testing do exist in Canvas and our Canvas user accounts all have a login entry containing the account information it claims to not be able to find.
The Login attribute being used is "Name ID" as set in the instructions but our ADFS service uses "eduPersonPrincipalName" and works login into Canvas - but does not work for AzureAD into Canvas.
In addition to authentication via ADFS, some admin users also have a direct login using a manually created login and password. These manual authentication modes tend to use the friendly email address (email@example.com)
So I am replying to my own question, as I think I now understand what is going on here.
When we launched Canvas at our institution a few years ago, we enabled ADFS for all our user. After doing some investigation into the issue I reported above, I realised that the user logins record for each user was explicitly specifying that the authentication id of our ADFS integration was used, rather than the new AzureAD authentication.